Trust Assessment
clawland received a trust score of 94/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.
SkillShield's automated analysis identified 1 finding: 0 critical, 0 high, 1 medium, and 0 low severity. Key findings include Unpinned Node.js dependencies.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Unpinned Node.js dependencies The `scripts/common.js` file dynamically installs Node.js dependencies using `npm install`. Several critical dependencies (`@coral-xyz/anchor`, `@solana/spl-token`, `bs58`, `tweetnacl`) are not pinned to a specific version. This means `npm` will fetch the latest available version, which introduces a supply chain risk. A malicious update to any of these packages could be automatically installed and executed, leading to compromise. Pin all Node.js dependencies to exact versions (e.g., `package@1.2.3`) in the `npm install` command to ensure deterministic and secure dependency resolution. For example, change `@coral-xyz/anchor` to `@coral-xyz/anchor@0.29.0` (or the specific version known to be stable and secure). | LLM | scripts/common.js:37 |
Scan History
Embed Code
[](https://skillshield.io/report/6421aa05b6797046)
Powered by SkillShield